"Target" not "URL"

CHANGELOG.md

@@ -10,7 +10,10 @@ Breaking changes:
 * None.
 
 Other notable changes:
-* None.
+* Fixed handling of non-`origin` request targets. Before v0.6.1, these were
+  treated as if they were `origin` requests (that is, the usual kind that
+  specify a resource path), and in v0.6.1 they started causing crashes. Now,
+  they're properly classified.
 
 ### v0.6.1 -- 2024-01-19
 

src/builtin-applications/export/Redirector.js

@@ -37,7 +37,7 @@ export class Redirector extends BaseApplication {
 
   /** @override */
   async _impl_handleRequest(request, dispatch) {
-    return request.redirect(
+    return request.sendRedirect(
       `${this.#target}${dispatch.extraString}`,
       this.#statusCode);
   }

src/builtin-applications/export/StaticFiles.js

@@ -52,15 +52,15 @@ export class StaticFiles extends BaseApplication {
 
     if (!resolved) {
       if (this.#notFoundType) {
-        return request.notFound(this.#notFoundType, this.#notFoundContents);
+        return request.sendNotFound(this.#notFoundType, this.#notFoundContents);
       } else {
         return false;
       }
     }
 
     if (resolved.redirect) {
       const redirectTo = resolved.redirect;
-      return request.redirect(redirectTo, 301);
+      return request.sendRedirect(redirectTo, 301);
     } else if (resolved.path) {
       return await request.sendFile(resolved.path, StaticFiles.#SEND_OPTIONS);
     } else {

src/network-protocol/export/ProtocolWrangler.js

@@ -375,21 +375,8 @@ export class ProtocolWrangler {
    *   to run.
    */
   async #handleExpressRequest(req, res, next) {
-    const context = WranglerContext.getNonNull(req.socket, req.stream?.session);
-
-    // TODO: `request.url` is not sanitized by Node, and furthermore it could
-    // legitimately be the form used when talking to a proxy (see RFC7230,
-    // section 5.3). `Request` does its own sanity check and will reject those,
-    // but we should catch it here, in a less ad-hoc way, before trying to
-    // construct the `Request`.
-    let request;
-    try {
-      request = new Request(context, req, res, this.#requestLogger);
-    } catch (e) {
-      res.sendStatus(400); // "Bad Request."
-      return;
-    }
-
+    const context   = WranglerContext.getNonNull(req.socket, req.stream?.session);
+    const request   = new Request(context, req, res, this.#requestLogger);
     const reqLogger = request.logger;
 
     const reqCtx = WranglerContext.forRequest(context, request);
@@ -399,10 +386,15 @@ export class ProtocolWrangler {
 
     res.set('Server', this.#serverHeader);
 
-    if (this.#rateLimiter) {
+    if (!request.pathnameString) {
+      // It's not an `origin` request. We don't handle any other type of
+      // target... yet.
+      await request.sendError(400); // "Bad Request."
+      return;
+    } else if (this.#rateLimiter) {
       const granted = await this.#rateLimiter.newRequest(reqLogger);
       if (!granted) {
-        res.sendStatus(503);
+        await request.sendError(503); // "Service Unavailable."
 
         // Wait for the response to have been at least nominally sent before
         // closing the socket, in the hope that there is a good chance that it